General Privacy Notice for Employees and Contractors
Under the Data Protection Act 1998 (the Act); the Privacy & Electronic Communications (EC Directive) Regulations 2003 and the General Data Protection Regulation (GDPR) whenever you provide any personal data to Crest Plus Operations Limited (“The Company”), we are legally obliged to use your information in line with all laws concerning the collection, storage, processing, protection and security of such information.
At Crest Plus, we take our responsibilities very seriously, with regard to any personal data that is shared with us. We are committed to safeguarding and respecting the privacy and security of your personal information. We endeavour to keep all personal data safe and secure and use it only for the purposes for which it was collected, and not do anything with your data that you would not reasonably expect, in order to deliver a quality payment solution.
The Company is a “data controller” and a “data processor” which means that we are responsible for determining the purposes and means of processing personal data and also responsible for processing personal data on behalf of a controller; deciding how we hold and use personal information about you. We are required under legislation to notify you of the information contained in this privacy notice.
We will only collect personal data on the basis of (a) a contractual agreement, (b) your consent, (c) our legal obligations or (d) a legitimate interest, in line with our specific business operations and those of our related third party suppliers.
This notice applies to current and former employees and contractors and it does not form part of any contract of employment or other contract to provide services. Please read the following carefully to understand our policies and practices regarding your personal data and how we will treat it. By visiting our website www.crestplus.com you are accepting and consenting to the practices described in this policy.
For the purpose of the Act and GDPR, the data controller is Crest Plus Operations Limited of Office Village, Chester Business Park, Chester CH4 9QP. Our nominated representative for the purpose of this Act is Derek Harling. Should you have any concerns relating to privacy then please visit our online enquiries form or email email@example.com.
Data Protection Principles
- What information we may collect from you.
- What information we may receive from other sources.
- How we will use any information we have collected.
- How we use particularly sensitive personal information.
- Disclosure of your information and your individual preferences.
- How we keep your data safe and who has access to it.
- How long will we keep your personal data.
- Keeping your information up to date.
- Your rights regarding the personal information we hold and how you can limit the use of that information.
We may collect and process the following data about you
Information you give us.
You may give us information about you through our registration, application or recruitment process; by filling in forms on our website www.crestplus.com (our site) or by corresponding with us by phone, e-mail or post. This includes information you provide when you register to use our site; subscribe to our services; utilise the private members’ area of our site; search our site; participate in discussion boards or other social media functions on our site; enter a competition; promotion or survey and when you report a problem with our site.
The information you give us may include (but is not limited to) your name, postal address, date of birth, gender, marital status, dependents, e-mail address and contact telephone and mobile numbers, next of kin and emergency contact information, national insurance details, unique tax reference or tax code status, payroll records, financial bank account details, debit or credit card information, your salary, pay rate, pension and benefit information, work position, work location and start date, personal description, photograph ID documents (such as copies of passport and driving licence), recruitment information (including copies of right to work documentation (ETW), references and other information as part of the application or recruitment process), employment records (including work history, training records and professional memberships or affiliations), performance, disciplinary or grievance information and other profile information about you and / or your business activities.
Where appropriate we may ask you for more sensitive personal information such as information about your health including any medical condition, health and sickness records for any health and safety reasons or insurance cover that we may have to arrange. We may ask for further information in order to assess your tax status, or if you are participating or attending one of our events. This will be made clear at the point of registration, at which stage you will have the option not to proceed.
Information we collect about you.
We will collect additional personal information in the course of any period of work-related activities, to enable us to keep a record of your working relationship with us and in order to record how you would like to hear from us, including your marketing preferences.
- With regard to each of your visits to our site we may automatically collect the following information:
Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your site visit, including collecting details of your interest in various areas of our site by collecting ‘clicks’ at major landing points. We may also use aggregate information and statistics for the purposes of monitoring website usage in order to help us develop our service to you;
- Information about your site visit, including the full Uniform Resource Locators (URLs) clickstream from our site, together with date and time; products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, mouse-overs) and methods used to browse away from the page and any phone number used to call our customer service number;
Information we receive from other sources.
We may receive information about you from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or if you use any of the other websites we operate or other services that we may provide.
In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on our site. We may also work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
How will we use your information?
We will only use your personal information for the purposes for which we collected it, or where the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- To provide you with information about our services that we offer or that you have already purchased or enquired about.
- To provide you with information about our services that we offer or that you have already purchased or enquired about.
- In order to make decisions about your recruitment or appointment and to determine the terms on which you work for us.
- To carry out our contractual obligations and administer the contract we have entered into with you and to provide you with the information, products and services that you request from us.
- To ensure we remain compliant with various laws, throughout our business operations for example, verifying eligibility to work (ETW) and that you are legally entitled to work in the UK.
- To carry out our obligations as your employer; payment for services or those arising from any legal or governmental responsibilities that we are required to satisfy, such as deducting tax and National Insurance contributions, and liaison with your pension provider.
- For the purposes of conducting work related tasks such as conducting appraisals, performance reviews, education, training, managing performance and determining development requirements. Making decisions about salary reviews, compensation, or other rewards and benefits. Assessing qualifications for a particular job or task, including decisions about possible promotions.
- For the purposes of gathering evidence for possible grievance or disciplinary hearings. Making decisions about your continued employment or engagement or making arrangements for the termination of our working relationship.
- Where it is necessary for our legitimate interests (or those of a third party) and for your interests, and your fundamental rights do not override those interests.
- Where we need to protect your interests (or someone else’s interests), such as fraud prevention.
- Where it is needed in the public interest or dealing with legal disputes involving you, or other employees and contractors, including accidents at work.
- To provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. We will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiation of a sale to you.
- If you are a new customer who is a consumer (not a business) we (or the selected third parties we may pass your data to) will contact you by electronic means only if you have consented to this. If you are happy for us to use your data in this way, or to pass your details on to our third parties for marketing purposes, please notify us by email to firstname.lastname@example.org or visit our secure members area to select your marketing preferences.
- To notify you about changes to our service or to provide you with information about special features of our site or any special service or products which we think may be of interest to you. If you would rather not receive this information please let us know. We reserve the right to use other tracking technologies in the future.
- To ensure that content from our site is administered and presented in the most effective manner for you and for your computer, from time to time.
- To enable our customer service to carry out troubleshooting, data analysis, testing, research, statistical and surveys so that we can monitor, review and better understand retention and attrition rates.
- So that we or our agents and sub-contractors can occasionally contact you including by post, email or telephone, to ask you for your feedback and comments on our services so we understand how we can continually keep improving our products, services and information that we provide.
- To allow you to participate in interactive features of our service, as and when you choose to do so.
- Monitoring of our information and communication systems as part of our efforts to keep our site safe and secure, to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and to prevent malicious software distribution in line with our IT policies.
- To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
How we use particularly sensitive personal information
“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent;
- Where we need to carry out our legal obligations and employer obligations;
- Where it is needed in the public interest, such as for equal opportunities monitoring;
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Under our obligations as an employer, we will use your particularly sensitive personal information in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or family related leaves, in order to comply with Health & Safety regulations, employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
- We will use information about your gender, race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring; dealing with our regulators and quality assurance reporting.
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
Disclosure of your information and your individual preferences
Occasionally we carry out surveys or other promotional activities which may be to introduce new services from Crest Plus, our selected partners or for more general interest. Any participation in such surveys is entirely optional and requires express permission.
If you provide your consent, then we may contact you to keep you updated on our services or events. Occasionally we may include information from partner organisations. We do our best to make it easy for you to tell us how you would like us to communicate with you.
If you do not want us to contact you then you can opt out of our communications or indicate your preferences or preferred channel by emailing us at email@example.com or use our online preference form at https://www.crestplus.com/contact-us/ or via our secure members area login.
We may share your personal information with any member in our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in the Companies Act 2006.
We require all the categories of information in the list above primarily to allow us to perform our contractual obligations with you and to enable us to comply with our legal obligations. In some situations we may share your personal information with selected third parties where required by law, where it is necessary to administer the working relationship or to pursue any other legitimate interests and were your fundamental rights do not override those interests. These may include:
- Business partners, third party service providers, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
- Our pension providers for the purposes of automatic enrolment pension administration.
- Our insurance providers for the purposes of insurance liability cover.
- Our financial partners for the purposes of payments and banking obligations, including fraud prevention.
- Our benefits providers for the purposes of any benefits provision and administration.
- We may need to disclose your details (if required) to the police, regulatory bodies or legal advisors.
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If we or any member of our group (or a substantial part of our or our group companies’ assets) are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
We require all third parties to respect the security of your data. They are required to take appropriate security measures to protect your personal information and to treat it in accordance with the law and our policies. We do not allow our third party providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
How we keep your data safe and who has access to it
Your information is held on systems that are maintained and managed securely by Crest Plus. Once we have received your information, we will use strict procedures and security features to ensure your data is protected to prevent unauthorised access; from being accidentally lost; used or accessed in an unauthorised way, altered or disclosed.
We will never sell or disclose any personal data to a third party unless requested to do so by an individual request. Any request should be made in writing to firstname.lastname@example.org. We limit access to your personal information to those employees, agents, contractors and other third parties who have a business or operational need. They will only process your personal information on our instructions and are subject to a duty of confidentiality and have agreed to keep any information confidential and secure.
We have put procedures in place to deal with any suspected data security breach and will notify you and the applicable regulator of any such suspected breach, where we are legally required to do so.
Our local and cloud firewall solutions are used to block unauthorised traffic to our network and servers. Crest Plus undertakes regular reviews of who has access to your information to ensure that it is only accessible by appropriately trained staff, who will also keep your information confidential. We have strict internal procedures covering the storage, access and disclosure of your information.
We may use external companies to collect or process data on your behalf. We do extensive checks on these companies before we work with them and agree a contract and data protection agreement prior to any work taking place, that sets out our requirements and expectations, especially regarding how they may manage personal data they collect or have access to.
How long will we keep your personal data?
We will hold your personal information on our systems for as long as is necessary to fulfil the purposes of which it was collected for in respect of any relevant activity. For example, we will hold payment information for a minimum period to enable us to comply with our statutory HMRC accounting, reporting and legal obligations.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee or contractor of the company we will retain and securely destroy your personal information in accordance with the applicable laws and regulations.
If you request that we stop sending you marketing materials, we will keep a record of your contact details and appropriate information that aids us to comply with your request not to be contacted.
Keeping your information up to date
It’s important that we keep your information up to date and accurate, as this is part of our obligation in order to comply with GDPR. We would also like to be able to stay in touch with you regarding relevant communications via the most appropriate method.
If any of the information that you have provided to Crest Plus changes, for example if you change your e-mail address, name or address please email email@example.com or change your personal information in our secure members area.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our employees and contractors).
You have the right to ask us to restrict, stop or suspend processing of your personal data, assuming that it’s not essential for the purpose that it was provided, we will do so. You have the right to ask us to stop sending you any direct marketing materials, and can exercise your right to prevent such processing at any time by contacting us at firstname.lastname@example.org or changing your preferences via our secure members area.
You have the right to request access to your personal information we hold about you (commonly known as a “data access request”). If you would like access to your information then please send your request in writing to email@example.com detailing the information that you would like to see. We can only accept information requests in writing from the individual themselves, and charges may be made for any multiple or excessive requests for information.
You have the right to request correction of the personal information that we hold about you, in order to correct any incomplete or inaccurate information we hold about you.
You have the right to request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see above).
You have the right to request the transfer of your personal information to another party.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
To improve your browsing experience we do use services provided by third parties such as LinkedIn, Google and other social media bodies. Whilst every reasonable effort is taken to protect your data and ensure your privacy is respected, please bear in mind that we have no direct control over these services or any information shared with them and that this is your responsibility. Please be aware that it is not possible for us to guarantee that they adhere to the same standards as Crest Plus.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us at firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
What About Cookies?
We don’t store personally identifiable information in cookies, nor do we sell the information collected by cookies. No information gathered on this website will be disclosed to third parties, except where required by law.
As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser.
How do I disable cookies?
It is usually possible to stop your browser accepting cookies, or to stop it accepting cookies from a particular website. For example, we cannot tell if you are signed in without using cookies. All modern browsers allow you to change your cookie settings. These settings will typically be found in the ‘options’ or ‘preferences’ menu of your browser.
How to contact Crest Plus
Updated: April 2018